Page History

...

This non-compliant code example is taken from an actual vulnerability in bash versions 1.14.6 and earlier that resulted in the release of CERT Advisory CA-1996-22. This vulnerability resulted from the declaration of the string variable in the yy_string_get() function as char * in the parse.y module of the bash source code :

Code Block

bgColor	#FFcccc


static int yy_string_get() {
  register char *string;
  register int c;

  string = bash_input.location.string;
  c = EOF;

  /* If the string doesn't exist, or is empty, EOF found. */
  if (string && *string) {
      c = *string++;
      bash_input.location.string = string;
    }
  return (c);
}

...

char i;

Compliant Solution

This problem is easily repaired by explicitly declaring the string variable as unsigned char.

Code Block

bgColor	#ccccff


static int yy_string_get() {
  register unsigned char *string;
  register int c;

  string = bash_input.location.string;
  c = EOF;

  /* If the string doesn't exist, or is empty, EOF found. */
  if (string && *string) {
      c = *string++;
      bash_input.location.string = string;
    }
  return (c);
}i;

Risk Assessment

This is a subtle error that results in a disturbingly broad range of potentially severe vulnerabilities.

...

Space shortcuts

Page tree

Versions Compared

Old Version 15

New Version 16

Key

Compliant Solution

Risk Assessment